Back in 2011, I wrote a post explaining why and how software developers should use Authenticode to digitally sign their applications. While the vast majority of the original post remains relevant, in today’s post, I’ll share my most recent experiences with code-signing. Shopping for a Certificate In the past, I signed my code using a…

A random collection of noteworthy links: Spartan PM Jacob Rossi wrote about the new Project Spartan rendering engine. Spartan Developer Justin Rogers has a great new blog on development in general, including some tantalizing posts on evolving the Spartan codebase. Windows 10 build 9926 has been released; Spartan is not yet in it, but you…

Last week at the CodeMash conference, I delivered a session titled HTTPS in 2015: Securing your websites and services using HTTPS has never been more important, or more complicated. In this talk, a former browser Security Program Manager covers the best practices for using HTTPS today. Topics covered in this session include ciphers and hash…

Lately, there’s been a resurgence of interest in hiding script inside files of other types; sometimes this is known as a polyglot file. On Twitter, there’s been some excitement about a new tool that creates GIF/JavaScript polyglots. As you can see in the example provided in the aforementioned blog, when referenced as the source of…

Be succinct. Virtually any network-based application can be made faster by optimizing the number of bytes transferred across the network. Taking advantage of caching is a great way to minimize transfer sizes, but just as important is to reduce the size of the resources you transfer. Data compression is used throughout the protocols and formats…

Back in 2011, I wrote a long post about Authenticode, Microsoft’s Code Signing technology. In that post, I noted: Digitally signing your code helps to ensure that it cannot be tampered with, either on your servers, or when it is being downloaded to a user’s computer, especially over an insecure protocol like HTTP or FTP….

Today, I’m writing about a topic I personally know little about, but I’ve heard experts mention it in passing for years. I couldn’t find any good references, hence the post below. The first rule for building high performance web sites is to make fewer requests, and using CSS sprites is one key and commonly-deployed means…

Ivan Ristic’s meticulously researched Bulletproof SSL & TLS book spurred me to spend some time thinking about the HTTP Strict Transport Security (HSTS) feature under development by the Internet Explorer team and already available in other major browsers. HSTS enables a website to opt-in to stricter client handling of HTTPS behavior. Specifically: All HTTP connections to…

Today’s question is a simple one: “What is the maximum URL length supported by Internet Explorer?” And the answer, as befitting an IEInternals post, is surprisingly complicated. The simplistic answer is that WinINET.h defines INTERNET_MAX_URL_LENGTH as 2083 characters, and this limit remains in force in a number of places. However, the true limit can be…